Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect.

Things change. Sometimes they change fast. And although the forces of freedom usually have an edge tech-wise, sometimes the state scores. Beware.

Update: A comment via email from William Gillis seems worth reproducing in its entirety:

I think it’s irresponsible not to note more prominently how this attack worked, which is to say it exploited a month old hole in Firefox 17, which the Tor Browser Bundle is currently built on. The latest Tor Alpha was ALREADY immune before the attacks, although regrettably delayed in deployment as a major update. Further the attacks exploit windows machines specifically. Lastly this isn’t something that attacks Tor per se, people running Tor but not the browser based on Firefox didn’t get hurt. Telling folks they should reconsider using the Tor Onion Router is ridiculous when this is an attack against the Tor Browser Bundle. I think it would be better to frame this as a *reminder* to not rely too deeply on tbb alone and disable javascript by default with noscript/notscript/etc and swap to linux.